Web-Hosted Software: Compliance as a Service

Minda Zetlin is a business technology writer and speaker, co-author of The Geek Gap, and former president of the American Society of Journalists and Authors. Like this post? Sign up here for a once-a-week email and you'll never miss her columns.

Who's best able to make sure your company stays up to date and compliant in the face of ever changing regulations and standards? For a growing number of companies, the answer is a software-as-a-service provider. A recent Gartner study found 15 to 20 percent of responding companies, both large and small, use web-hosted software to track compliance. And more companies are using Web-hosted software to oversee compliance every year, Gartner found.

What's the attraction? As with all software-as-a-service (SaaS), it allows the company to avoid using IT staff to oversee a non-core function. 'Using software to manage compliance and compliance reporting becomes too big a burden for a small organization with limited resources," explains Dariel LeBoeuf, senior vice president of communications and education services at TraceSecurity, a SaaS provider that helps companies with governance, risk management and compliance (GRC). 'They tell us they don't have the staff to keep up with regulations,' he says.

Does a Web-hosted compliance solution make sense for your company? It might, especially if any of the following apply:

You need to achieve compliance fast. 'That's one of the basic benefits of SaaS,' LeBoeuf says. 'The deployment efforts and infrastructure needed to support it is minimal, so you get a positive result much more quickly.' Using Web-hosted software can also help you more quickly prepare to demonstrate compliance to regulators.

You fear losing institutional knowledge. 'In the environmental and safety industries, a lot of people are nearing retirement,' notes Michele Hincks, vice president of marketing at Enviance, a SaaS provider that helps companies keep compliant with environmental, health and safety regulations. 'Once they leave, they're gone, and if something is in a spreadsheet or a log book, it might not be easy for their replacements to use that information without a lot of training. Putting in a system like ours can reduce that training time.'

You can't keep up with regulatory changes. Most regulations and other compliance standards frequently change in major and minor ways. Traditional software would require either an upgrade or some adjustment by your IT staff to take these changes into account. If your SaaS provider is committed to keeping up with these changes (which is something to ask before signing an agreement) then its automatic updates should eliminate this concern.

You're preparing for a different regulatory future. One good example of this may be greenhouse gas emissions: Hincks points out that both Barack Obama and John McCain have declared themselves in favor of a 'cap-and-trade' system in which companies would buy and sell polluting 'credits.' If such legislation is enacted, it would immediately create a large market for such credits and make demonstrating compliance much more difficult. 'Companies will need to have a standardized system, and they'll need a way to measure pollution that can be audited and certified, because now it will be a financial instrument,' she says.

You need to keep down upfront costs. The Gartner report notes that the SaaS model (which usually involves an ongoing monthly fee) may not save money in the long run, compared with the purchase of a software license. But it definitely reduces initial expenses, and provides you with an operating, rather than capital, expense for tax purposes.

When working with a SaaS provider, LeBoeuf adds, the service will help you get up and running once the software is in place. 'Make sure they have a plan beyond just implementing the software,' he says. 'Ask how employees will use the software, how they get started, and where they go with questions. A fairly large number of organizations buy software that never gets used because of lack of such expertise.'

At the same time, keep in mind that it is still your company -- not the SaaS provider -- which bears ultimate responsibility for compliance. 'Most regulations require that the company has someone in-house in charge of compliance,' LeBoeuf says. 'At most of our small-company customers, that person may also have other responsibilities. But you can't just turn it all over to someone else.'